CLA 2004 Preliminary Version

Validation of proofs using PhoX Patrick Th´evenon 1,2 LAMA Universit´e de Savoie Campus Scientifique - 73376 Le Bourget-du-Lac Cedex, FRANCE

Abstract In this paper we present the DemoNat project, its purposes and the ideas developed so far. DemoNat is a French project whose aim is to make a program able to analyze and validate proofs made in a natural language. It will be used by students in order to improve the way they understand and make mathematical proofs. Key words: Proof assistant, linguistics, resolution method

1

Introduction

As there are two parts in the project (the analysis and the validation), three laboratories of linguistics and/or mathematics are working on it: •

Lattice / TaLaNa (Paris 7)

•

Calligramme (Nancy)

•

LAMA (Chamb´ery)

The program, not yet implemented, will be based on the proof assistant PhoX which is developed by Christophe Raffalli at the ’Universit´e de Savoie’. This program is already used by students but since it requires the knowledge of commands, it is not so easy to use it. With the DemoNat project students will be able to write their proof in a natural language (say French) and the machine will have to analyze it in term of linguistic and to validate it in term of logic. See below (Fig 1) the diagram of the system. Let us explain it: the student first writes a proof of a theorem in a natural language. The program then translates it into a proof made in an intermediate 1

Thanks to Ren´e David for his attentive reading and corrections. Thanks to Christophe Raffalli for his suggestions of presentation. 2 Email: [email protected] This is a preliminary version. The final version will be published in Electronic Notes in Theoretical Computer Science URL: www.elsevier.nl/locate/entcs

´venon The Proof in natural Language

Proof

Proof in PhoX.nc

Translation

validated

Automatic prover

Fig. 1. Diagram of the system

language called PhoX.nc. It includes the standard commands of PhoX and some others that we will call new commands. Standard commands are the usually defined commands in proof assistants: intro, left, elim, apply, prove, trivial, . . .. All except trivial correspond to combinations of proof rules and so are validated for syntactic reasons. New commands are different because the automatic tactic must prove a formula before validating them. In section 2 we introduce the new commands and explain the purpose of this language. In section 3 we give a simple example of a proof that could be made by a student and we explain how the program will have to analyze it. The section 4 is devoted to the validation, the mathematical part of the project, which needs a theorem prover dedicated to this project.

2

New command: a meta-rule

Before giving the grammar of the new commands we expose their general purpose. A step of the proof is a list of sequents H ` G where H are lists of hypotheses and G are goals to prove. At each step we consider one of these sequents. When a new command is given it generates a list of sequents (H, Hi ` Gi ). The automatic tactic must then be able to show that the current sequent can be deduced from the sequents generated. Intuitively the theorem prover must prove the following sequent: H ` (H1 → G1 ) → . . . → (Hs → Gs ) → G which will justify the meta-rule: H, H1 ` G1 . . .

H, Hs ` Gs

H ` G In the next state of the proof H ` G is deleted from the list of sequents and the sequents H, Hi ` Gi are added. As the definition of new commands is not yet fixed, we give here a very general and partial (but an important part of the) grammar for the commands in PhoX.nc. An important thing to mention is that these commands are designed to be close to a natural language but with a formal grammar. Thus by 2

´venon The

this principle some of the standard commands are kept: let .. cmd | assume .. { and ..} cmd | deduce .. { and ..} cmd | by .. { with ..} cmd | show .. | prove .. | trivial |∅ | cmd then cmd | begin cmd end

(naming)

(hints) (replace goal) (cut rule)

(cases) (brackets)

Some of the commands are obvious but some of them need to be explained. •

let allows to introduce new names, that is to introduce new constants (or variables). For instance if you have to prove that ∀x ∈ R P (x), you can write let t ∈ R show P (t). Then the new name can be used in the current branch of the proof.

•

assume allows to give more information on what the introduced constant must verify. For instance if ∀x M (x) → N (x) is the goal we could write let t assume M (t) show N (t). More generally it is used to add hypotheses.

•

deduce is just for deducing things from the current hypotheses which are added to the hypotheses. For instance if A → B and A are hypotheses we can write deduce B.

•

by and with are really important commands for the prover as they are used to give some clues on how the proof of the ’meta-rule’ can be done. After by and with can be given either an hypothesis (fact) or a variable name. These commands have no influence on the property associated to the new command, they only help the prover. Examples are given in the next sections.

•

show is quite obvious, its purpose is to change the current goal. It can be read as ’it suffices to prove that’.

•

prove is very different from show and from the others given as it is standard and so does not need to be validated by an automatic prover: it is simply the use of a cut rule. Here the user wants to introduce a lemma that he will prove next.

•

then adds sub-goals in the meta-rule. It allows to prove by cases: for example, if we have A ∨ B as an hypothesis, we can write assume A then assume B. This command is also used when the goal is A ∧ B: we can then write show A then show B.

•

begin . . . end is just to put new commands into parentheses. This is necessary because it is possible to put commands into others. 3

´venon The

3

The translation

We now introduce an example of a proof for a proposition that can be made by a student with the system. But first let us introduce some constants and definitions. Let X and Y be two topological spaces. Let f : X −→ Y . We can define two notions of continuity: • f continuous = the inverse image by f of an open set is an open set. • f continuous at x = the inverse image by f of a neighbourhood of f (x) is a neighbourhood of x. For PhoX the notation will be ”continuous at”. Proposition 3.1 f continuous → ∀x ∈ X f continuous at x. Proof. Assume f is continuous, let x ∈ X. Let V be a neighbourhood of f (x), we must prove that its inverse image is a neighbourhood of x. By definition of a neighbourhood let O be an open set included in V and containing f (x). As f is continuous, f −1 (O) is open and x ∈ f −1 (O). As f −1 (O) ⊂ f −1 (V ), the proof is finished. 2 As you can see the proof is really easy. Now let us study in detail how the translation from the natural language to PhoX.nc could be made. We must warn about the fact that this translation is only one possible and that there may be many other translations. The aim is just to point out some of the difficulties that may occur while translating proofs into PhoX.nc. The translation here will be done step by step, that is one sentence after the other. At each step we give the current hypotheses and goal together with the sentence written by the student and from them will follow the translation. Note that the syntax we use in this article for the formulae is not exactly the syntax found in PhoX. For example, we will always write ”x ∈ X” when in PhoX it could be written ”X x”. Another examples are the use of ”xn ” instead of ”x n” and ”f (x)” instead of ”f x”. The aim is just to have usual notations in order to be more readable by anyone. • First the user adds assumptions and so changes the goal. ` f continuous → ∀x ∈ X f continuous at x Assume f is continuous, let x ∈ X. ⇓ assume f continuous let x ∈ X show f continuous at x. It is necessary, in the translation, to give the new goal (if it changes) even if the user does not give it explicitly, in order to obtain a valid meta-rule. It is the first difficulty encountered but this one is not very hard as the translator knows the current state of the proof and so can infer that we are dealing with 4

´venon The

a goal of the form M → N and that M is assumed. Thus what is to be proved is N. • Now the user shows that he knows his definition of local continuity. H:= f continuous H0:= x ∈ X ` f continuous at x Let V be a neighbourhood of f (x), we must prove that its inverse image is a neighbourhood of x. ⇓ let V assume V neighbourhood.Y f (x) show (reverse f V) neighbourhood.X x. Here there are two difficulties. The first one is that the student knows implicitly that there are two kinds of neighbourhood but he does not make this difference explicitly in his sentence. So the translator has to be able to deal with that: find the good notions of neighbourhood for each word. Here it is one more time helped by reading the definition of the goal. The sentence of the student is no more than a reading of a definition. The second difficulty comes from the use of the word ’its’. To what does it refer ? Such kind of words, called anaphoras, can often appear in proofs and the translator will have to deal with them. Here it clearly refers to the neighbourhood V which is the last constant defined by the student. Moreover it is not given by which function we take the inverse image of ’it’. Here the context implies that it can only be the function f . • Now the student uses an hypothesis: H:= f continuous H0:= x ∈ X H1:= V neighbourhood.Y (f x) ` (reverse f V ) neighbourhood.X x By definition of a neighbourhood let O be an open set included in V and containing f (x). ⇓ by H1 let O assume O open.Y and O ⊂ V and f (x) ∈ O. Most of the hypotheses will never be explicitly named by the user (even if it is possible to do this in the system) because usually they are not. Hypotheses are only named in difficult proofs or when they can be used many times, etc. . . Here the student just wrote ”by definition of a neighbourhood” so he 5

´venon The

could either work on the goal or on the hypothesis H1 as both ’speak about’ neighbourhood. In fact if the translator does not manage to know that we are working on H1, it could try the different possibilities in order to find the good one which is the one that will be validated by the automatic prover (otherwise the user can come back to the last goal and changes its sentence). But it could here find that the user talks about the hypothesis H1 as it talks about f (x), which only appear in this hypothesis. • Here is another use of assumption: H:=. .. H2:= H3:= H4:=

f continuous O open.Y O⊂V f (x) ∈ O

` (reverse f V ) neighbourhood.X x As f is continuous, f −1 (O) is open and x ∈ f −1 (O). ⇓ by f continuous deduce (reverse f O) open.X and x ∈(reverse f O). We just here note that the translator may use directly the hypothesis instead of its name • Here is the end of the proof: .. . H3:= O ⊂ V .. . H5:= (reverse f O) open.X ∧ x ∈(reverse f O) ` (reverse f V ) neighbourhood.X x As f −1 (O) ⊂ f −1 (V ), the proof is finished. ⇓ deduce (reverse f O) ⊂ (reverse f V ) trivial. The difficulty here is that the word ’as’, unlike in the previous step, does not refer to an hypothesis already proven but to a fact that seems obvious to the user. So the new command here must be deduce and not by. Finally, when the proof is finished (explicitly said as here or not) the last command must be trivial, that is the result must be proven in the last state of the proof by the automatic prover.

6

´venon The

4

The validation of meta-rules

In this part we explain how the meta-rules coming from the new command could be validated by an automatic prover. As the current automatic tactic of PhoX is not powerful enough for the new commands, we need another one, dedicated to the problem. The idea is in fact to implement an inverse resolution method in a lazy way. The purpose of this paper is not to define it, we will just give some examples and hope that they are clear enough. We assume anyway that the reader knows what is the resolution method. Otherwise, see some of the references given, for instance [2] and [5]. We forget the previous example and take another ones, better for purposes of readability. In fact we will give two examples. For each we give the current step of the proof then the sequent given to the automatic prover, to finish with the proof. A simple example • Consider the following formula: ∀i ∈ I

A ∩ h(i) = f (i) ⇒ A ∩

\

h(i) =

i∈I

\

f (i)

i∈I

It is obvious that it is an implication P → Q. Thus to prove it we take P as an hypothesis and Q as the goal. We obtain the following sequent to prove which is solved by the given new command: E0:= ∀i ∈ I A ∩ h i = f i ` A ∩ (Inter h I) ⊂ (Inter f I) let x ∈ A ∩ (Inter h I) show x ∈(Inter f I). Where Inter f I is the notation for the intersection of the f (i) for i ∈ I. • To validate the new command, that is to validate the meta-rule associated to this situation, the automatic prover has to be able to prove the sequent below (which should never appear to the user): E0:= ∀i ∈ I A ∩ h i = f i ` ∀x [x ∈ A ∩ (Inter h I) → x ∈(Inter f I)] → A ∩ (Inter h I) ⊂ (Inter f I) Simplifying the formulae by using generic names and thanks to the definition of a subset (X ⊂ Y := ∀x x ∈ X → x ∈ Y ) it is equivalent to the following sequent: E0 ` K→K 7

´venon The

• This is very easy to prove by any prover. We see here that in some cases the formula given to the automatic prover is just a propositional tautology. Note however that here K represents a formula which is not propositional. Thus the automatic tactic must not see in detail what is the formula. It decomposes only the formula K → K and ends the proof when it unifies K and K. Formulae can be seen as ’black boxes’ until a decomposition is needed. Note that after this proof, the new command is validated, and that the current sequent (printed for the user) becomes: E0:= ∀i ∈ I A ∩ h i = f i E1:= x ∈ A ∩ (Inter h I) ` x ∈(Inter f I) Two things have been done between the two states of the proof: an introduction of a universal quantifier and an introduction of an arrow. An important thing to notice is that the automatic tactic didn’t have to make these introductions, as they are implied by the syntax of the new command. The automatic tactic just has to validate the meta-rule. And in this case it is possible by proving a propositionnal formula.

A more difficult one • Let F be a closed set and (xn )n ⊂ F . While proving that (xn )n converging to a → a ∈ F we take a sequence (xn )n of F converging to a. As F is closed it suffices to take a neighbourhood V of a and to show that F ∩ V is not empty. So we get the following sequent (the dots replace some hypotheses like F closed that we will not need) and new command: .. . G:= ∀V (V neighbourhood a → ∃n ∈ N xn ∈ V ) H:= V neighbourhood a ` ∃y ∈ F ∩ V by [G] with [H] let n ∈ N

assume xn ∈ V .

• To this is associated the following sequent given to the automatic prover (the hypotheses are the same, they are our environment): .. . G:= ∀V (V neighbourhood a → ∃n ∈ N xn ∈ V ) H:= V neighbourhood a ` ∀n ∈ N (xn ∈ V → ∃y ∈ F ∩ V ) → ∃y ∈ F ∩ V 8

´venon The

Remember that the commands by and with have no influence on the formula, they just give some information to the automatic prover. And here the information is very good, as only the two hypotheses named will be used to prove the property. We can again simplify by giving names to some sub-formulae and deleting the useless hypotheses: G:= ∀ V (H[V ] → ∃n (n ∈ N ∧ xn ∈ V )) H:= H[V ] ` ∀n (n ∈ N → xn ∈ V → K) → K • And now how can the automatic tactic prove this sequent ? As we have already said we will use a resolution method. So we start with a first set of clauses. We add one clause for each hypothesis and we negate the goal to obtain the last one: C1 :={∀V (H[V ] → ∃n (n ∈ N ∧ xn ∈ V ))} C2 :={H[V ]} G:={¬ [∀n (n ∈ N → xn ∈ V → K) → K]} We follow now what should be the better way to find a contradiction. First we decompose the goal G (¬(A → B) is seen as A ∧ ¬B) to obtain two new clauses C3 and G0 : C1 :={∀V (H[V ] → ∃n (n ∈ N ∧ xn ∈ V ))} C2 :={H[V ]} C3 :={∀n (n ∈ N → xn ∈ V → K)} G0 :={¬K} Then we decompose the clause C1 , obtaining a variable of unification V ?, giving C10 and the clause C3 , obtaining a variable of unification n? and we rewrite the clause obtained C30 : C10 :={(H[V ?] → ∃n (n ∈ N ∧ V ? (x n)))} C2 :={H[V ]} C30 :={¬n? ∈ N ∨ ¬xn? ∈ V ∨ K)} G0 :={¬K} Now considering that A → B is equivalent to ¬A ∨ B, we can apply the resolution rule between C10 and C2 to obtain C4 : C4 :={∃n (n ∈ N ∧ xn ∈ V )} C30 :={¬n? ∈ N ∨ ¬xn? ∈ V ∨ K)} G0 :={¬K} Now we decompose the clause C4 , obtaining a constant of unification n in a clause C40 :

9

´venon The

C40 :={n ∈ N ∧ xn ∈ V } C30 :={¬n? ∈ N ∨ ¬xn? ∈ V ∨ K)} G0 :={¬K} Decomposing the clause C40 we get two new clauses C5 and C6 : C5 :={n ∈ N} C6 :={xn ∈ V } C30 :={¬n? ∈ N ∨ ¬xn? ∈ V ∨ K)} G0 :={¬K} We see now that we can apply some resolution rules between C5 , C6 , G0 and C30 to obtain the empty clause , which ends the proof. What can we conclude about what we have just seen ? That our way to apply a resolution strategy is not standard. In fact it is in some sense an inverse resolution strategy: the formulae are decomposed only when needed, we are not dealing with conjunctive normal forms of atomic formulae as it is done in the classical resolution method. We can often see that most of the sub-formulae are useless for the automatic tactic. For example it does not need to know what is the formula K when it proves K → K. So formulae are kept as they are and decomposed only when needed. This is why we call our method an ’inverse resolution in a lazy way’. So The commands by and with are very useful to indicate which hypotheses should be more quickly decomposed than the others.

5

Conclusion

What we have seen here is an overview of the DemoNat project which is not yet implemented (except PhoX and PhoX.nc). Some of the difficulties that can appear in the linguistic part of the project have been pointed out. In the basic example given they seem not to be strong: we have only done a translation sentence by sentence. In fact there are two ways of thinking the system. The first one is to validate a whole proof and so to read the complete text of the proof. In this case the system has a great freedom on the parts translated into PhoX.nc. The second one is to build a proof, i.e. the user interacts with the system. He writes a proof and when he needs to know what is the current state of the proof he tells it to the analyzer. Then the system analyses the part asked by the user. In both cases the context must be kept by the system after each step. This is needed to be able to solve the problems of anaphoras. Moreover the translation must be able to give the ”hints” to the automatic tactic in order to help it in proving the formulae implied by the new command. The user may not give them each time and so a study of the context may help to find the important hypotheses. This part is really an essential one and makes a 10

´venon The

difference with usual theorem provers. As we have seen, a good way to handle with the formulae implied by the commands of PhoX.nc is to implement an inverse resolution in a lazy way. Indeed the formulae given to the automatic prover seem to be particular: most of them are propositional or need the use of few quantifiers. We could think about a prover becoming stronger when the user is a more advanced student. This means that the system may reject steps of the proof if it sees that they are too difficult for a beginner for example.

References [1] C.-L. Chang and R. C.-T. Lee, Symbolic Logic and mechanical Theorem proving, Academic Press 1973. [2] R. David, K. Nour and C. Raffalli, Introduction la logique, Dunod 2001. [3] D. A. Duffy, Principles of automated theorem proving, Wiley 1991. [4] M. Fitting, First-order Logic and automated Theorem proving, Springer-Verlag 1990. [5] A. Leitsch, The Resolution Calculus, Springer-Verlag 1997. [6] T. Tammet, Resolution Theorem Prover for Intuitionistic Logic, in CADE-13, LNCS 1104, Springer-Verlag 1996. [7] T. Tammet, Resolution, inverse method and the sequent calculus, University of G¨oteborg and Chalmers University of Technology.

11